According to the 2018 Ponemon Institute Data Breach Study[i],
the average total cost of a data breach is $3.86 million. Data breaches aren’t
the only type of devastating cybersecurity problem and global costs for
ransomware are expected to reach $11.5 billion[ii]
in 2019. Malware can quickly bring a halt to your business activities and we
have seen municipal services brought down for over a week because of infections
that were a result of failure to follow policies and procedures.

Non-fiscal consequences of information security problems may
have a more significant long-term impact on your organization than fiscal
consequences and may include loss of reputation and litigation.

Information Security disasters are almost always a reflection
on organizational management and the worst time to find out that you didn’t
have a comprehensive cybersecurity program is in the aftermath of a breach. Most
cybersecurity events occur for one of three reasons:

People didn’t do what they were supposed to do
(i.e. patching, backing up, checking logs).

People did something they weren’t supposed to do
(i.e. using inappropriate web sites, inserting flash drives, opening links on
phishing e-mails).

People have no idea what they are supposed to do
(lack of policy, procedures throughout the organization).

Knowing what your staff is doing is a basic management
responsibility. Show me a cybersecurity incident, and I will show you a chain
of supervision and management failures that go all the way to the top of an
organization.

Boards and governing bodies are beginning to see it this way
too, and currently, senior C-level executives lose their jobs in roughly
one-third of breaches[iii]
and other cybersecurity events.

Quite simply, information and cybersecurity are management
responsibilities and good information security programs require ongoing
management attention. Managers don’t need to be cybersecurity or technical
experts; they do need to ensure that appropriate controls, policies, and
procedures are in place. Your IT department isn’t the solution; management principles
are.

Depending on what research you read, somewhere between 60
and 90 percent of cybersecurity problems are caused by human error. In my
experience, 90 percent sounds about right, although it could easily be closer
to 100 percent. This all fits right in with W.E. Deming’s theory that 94% of
problems in an organization are a result of management failures.

Major information breaches occur daily and only a small
percentage of these make headline news. The most infamous of these include
Equifax, Marriott, Yahoo, Target, and Anthem. In many local governments and
smaller enterprises, the cybersecurity programs are not sufficiently robust to
even identify whether a breach has even occurred.

A small sampling of 2018 information security incidents from
the county and municipal sectors includes:

City of Atlanta

St. Lawrence County, New York

Adams County, Wisconsin

Otsego County, NY

50 central New York school districts

What most breaches have in common is that technology didn’t
fail – people failed. Policies, procedure, and management failed. In the
Equifax breach, someone failed to apply current patches to servers with known
vulnerabilities. The CEO, Richard Smith, lost his job over the incident, but he
wasn’t the culprit who failed to patch. He did handle the incident poorly,
though.

If you take a proactive approach to cybersecurity, you have
control over what you do and how you do it. However, in the aftermath of a
breach, you may find your organization under investigation by the US Office of
Civil Rights if the breach involved PHI and criminal charges may be involved as
well. Your response may be dictated by state and federal regulators and you
will have lost control of the process. A proactive approach to cybersecurity is
clearly more desirable.

How would your organization be able to identify a breach? In
the case of Adams County, WI the breach went on undetected for over five years
and resulted in the disclosure of PHI and PII of over 250,000 residents. Five
years! Would your staff be able to detect a breach?

Would you know how to respond to a breach? When it comes to
cybersecurity, you must know how to respond to disasters before they happen and
developing an incident response plan is part of the process of building a
comprehensive information security program. A disciplined approach forces you
to think about everything so that when a disaster of some sort does occur, you
are prepared to deal with it immediately. However, if you have taken a
comprehensive approach to cybersecurity, a disastrous problem is far less
likely to occur. And, if it does occur, the response and cleanup is
considerably easier.

Most information and cybersecurity programs are caused by
people, so why are most cybersecurity programs built on technology? The
foundation for a great cybersecurity program is policy and procedure.

Often, when I talk to executives and managers, their
response to information from me is something like, “Wow. This is great
information. I’ll show it to my IT people.” This is a pretty clear
indication that they didn’t hear anything I just presented. This is
understandable; most managers have been conditioned to believe that information
security is an IT responsibility.

As an executive, you will be held accountable for a serious
cybersecurity incident, especially if the problem was caused by lack of policy,
procedure, and management oversight.

The conventional wisdom in local governments is that
information and cybersecurity are functions that should delegated to an IT
Director or CIO. As is the case with most conventional wisdom, this view is
wrong.

Cybersecurity is often treated as a form of black magic
where wizards practice their secret arts in the data center. In reality, the
processes, procedures, and activities that your staff should be performing
routinely are well-known and widely published. Are your staff members following
these publicly available standards?

Over the last several decades, many comprehensive standards
and frameworks for information and cybersecurity have grown and matured. These
frameworks have been developed by large workgroups of brilliant people who have
devoted their professional careers to the study of information security. Local
governments rarely implement these frameworks and instead rely on ad hoc
programs designed by staff members untrained in information security practices
and procedures. None of these standards or frameworks recommends delegation of
cybersecurity to IT staff; all of them recommend comprehensive approaches that
include the participation of directors, executives, and senior managers in
building a comprehensive plan.

The good news is that this problem is simple to fix.
Building a solid, standards-based cybersecurity program is a team effort and
the majority of controls that should be implemented are not technical in
nature, but administrative.

How do you know if you have a standards-based cybersecurity
program or an ad hoc one? It is easy to identify a real cybersecurity program
and six elements distinguish a comprehensive program from a poor one:

1. Comprehensive Security Policy. For most
municipal governments, this document should probably consist of 25 or more
pages and at least 40- 50 policies, but probably many more. Good security
policies are typically developed over a long period of time

2. Acceptable Use Policy. This document
describes standards for using company-owned resources, ownership, reporting
requirements, etc. but may also address the use of social media, work-at-home
policies, and a great deal more.

3. Risk Assessment Report. Risk assessments
are a requirement of every standards-based security framework. If you don’t
have a relatively current risk report, your security program doesn’t meet the
standards of any generally accepted information security framework.

4. Documentation. Extensive documentation demonstrating
compliance with your organization’s security policy should be readily available
at all times. Do you have evidence that backups are validated? Are logs
checked? Excellent documentation is a required component of a true information security
program.

5. Management participation. Participation
of directors and senior managers in an information security program is a
requirement. For most county and municipal governments, managing and
understanding the scope of information and the regulatory requirements are
beyond the knowledge, skills, and abilities of the IT staff.

6. Accountability. A good cybersecurity
program requires participation of staff and management throughout the
organization. Responsibility and accountability for the many tasks must be
clearly documented so everyone understands their part.

There are many moving parts to a good cybersecurity program
and the formula for it looks something like this:

There is no reason for the existence of ad hoc information
security programs, especially in the public sector. There are numerous
generally accepted and widely available frameworks for building a comprehensive
information security program. These are either free or dirt cheap and they
describe exactly how to build an information security program in any
organization. A comprehensive approach is not expensive and there are not
necessarily capital expenses involved.

You can use any of the following documents to begin building
a comprehensive information and cybersecurity program.

This is the international standard for building an information
security program. It is available from the ANSI web store for $138. It is
roughly 30 pages and describes exactly how to build a comprehensive security
program for any organization from scratch.

The HIPAA Security Rule is a federal regulation (45 CFR parts
160, 162, 164) for protecting PHI, but it can also be used as a framework for
building an information security program. If you have PHI (most counties do) to
protect, you could start your program by building it on HIPAA and then use one
of the other frameworks to supplement what HIPAA misses. A common misconception
about HIPAA is that it is an onerous regulation that is difficult to comply
with. In truth, HIPAA sets a low bar and you will definitely need to supplement
a HIPAA compliance program with additional policies and procedures.

Building a comprehensive, standards-based cybersecurity
program is a straightforward process. In general, we recommend an approach
something like this:

Establish
a governance committee.The membership of your governance committee should include people who are
expert in various aspects of the information you maintain. For a county
government, this might include the county recorder, corporate compliance,
public or mental health, human resources, the county attorney, and information
technology. A senior executive and a board member should also be on the
committee.

Get a risk assessment.Risk assessment is an absolute requirement. If you have someone on the
staff skilled in this, you can do it internally. If your organization has never
gone through a risk assessment process, you should contract an outside firm for
the first one unless you have staff members who are capable of objectively
performing one. Risk assessments should
be carefully scoped.

Create an asset inventoryA complete, current inventory of all your information assets including
digital data, applications, physical information (paper records), and hardware
is an absolute requirement. Most local governments don’t have this information
in detail that would stand up to any kind of audit.

Create a
comprehensive security policy. A primary responsibility of your governance committee will be to draft a
comprehensive security policy that addresses your organization’s unique needs
relative to risk. The policy should be approved by your governing board. You
can and should build your program on any of the three frameworks described
above. You’ll have to decide which one is the most appropriate depending on
your unique business requirements.

Create a
risk management plan
The risk assessment process will identify many shortcomings in your information
security program. It is the responsibility of your board and senior executives
to identify risk appetite and priorities for risk mitigation.

Does all you have read so far sound straightforward and
simple? It is.

There is no reason for any local government agency not to
implement a comprehensive cybersecurity program. While the steps are simple, it
may not be easy to implement and the problems you encounter are more likely to
be administrative and procedural rather than technical. Technical
implementation of a cybersecurity program is the easiest part; getting the
management structure right is much more difficult.

If you proceed down the path to standards-based
cybersecurity, you may find that it takes six months to a year to put all the
policy and procedural components into place, get a risk assessment, make a plan,
and implement it, but this all depends on the availability of resources and
your commitment to the project.

Building a security program on standards and best practices
may require no capital expenditures but it requires time and attention from
managers throughout your organization. In general, local governments don’t lack
the funding for technical controls and many of them already have all the required
technology in place. What local governments are generally missing are clear
policies, procedures, and accountability.

If you would like assistance with your program, give us a
call. We provide comprehensive management services for information security and
can help you through every step of the process. Visit our website for more
information on our services for
local governments.

In this video, “Cybersecurity, cyber risk, and liability in local government,” I ask and answer 11 questions that local government executives and elected officials should be able to answer about their cybersecurity programs and it provides actionable information on building a cybersecurity program in the public sector. Watch it now! In 28 minutes you’ll get a complete overview of cybersecurity in the public sector, learn how to evaluate your program, assess your risk, and build a comprehensive standards-based program from the executive perspective. Questions answered include:

1. What kind of information do local governments collect and maintain?

2. Is local government regulated?

3. What regulations apply?

4. What are the risks?

5. What’s the liability?

6. How are they assessing and managing risk?

7. How do you build a cybersecurity program in the public sector?

8. What does the management structure look like?

9. How do you staff it?

10. How much does it cost?

11. What are the responsibilities of directors, managers elected officials and staff throughout the organization?

Watch it and don’t forget to subscribe. If you like it, LIKE IT and thanks for watching.

NIST Cybersecurity Framework

Version 1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) celebrated its fourth birthday in February. The CSF is a “risk-based approach to managing cybersecurity risk… designed to complement existing business and cybersecurity operations.” I recently spoke with Matthew Barrett, NIST program manager for the CSF, and he provided me with a great deal of insight into using the framework.

NIST (National Institute of Standards and Technology) is a division of the U.S. Department of Commerce, and they have been involved in information security since the 1970s. On May 11, 2017, President Trump signed Executive Order 13800 requiring all federal agencies to use the CSF, so if you conduct business with these entities, you are likely to hear a great deal more about it in the near future.

Current State of Cybersecurity

To begin the conversation, I asked Matthew what he thought about the current state of cybersecurity in business and government.

“I think there is a bit of an awakening going on to the true importance of just how foundational cybersecurity is,” he says. “It used to be that businesses were based on trust, and it is still the case. Increasingly, we’ve built out our technological infrastructure and more and more important over time is digital trust. I’m not sure whether all parties understood when they were implementing those technologies just how much that pendulum was going to swing from traditional trust models to the digital representations of those trust models. It’s not an overnight thing. There’s a cascade. I see a ripple that has started that hasn’t completed its way across the pond.”

The CSF in a Nutshell

If you have worked with other security standards or frameworks based on best practices or compliance approaches, the CSF provides a different viewpoint. It is not intended to be used as a standalone framework for developing an information security program. Rather, the CSF is designed to be paired with other frameworks or standards such as ISO/IEC 27000, COBIT 5, ANSI/ISA 62443, and NIST SP 800-53. It is also meant to be customized rather than being used as a process or activity checklist. The CSF has three components – the core, tiers and profiles.

Framework Core

The core of the framework has five functions – identify, protect, detect, respond and recover. These functions can be thought of as outcomes and aligned with them are 22 categories, 98 subcategories, 125 outcomes and 287 informative references (controls). The core, with all the informative references, is also available in Excel format which can make a handy template to add to your cybersecurity policy and control toolkit. According to Matthew, becoming comfortable with these five functions and the associated concepts at the leadership level tends to be the first stage of the adoption curve.

Tiers

Determining the organization’s tier is often the second step in adoption. The tiers are a useful tool and they “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” There are four tiers: partial, risk-informed, repeatable and adaptive. Although the tiers don’t officially function as a maturity model, it is difficult for me not to see them as such.

However, Matthew explained the CSF’s position on maturity models: “We take exception to the way maturity models are applied where everyone has to get the highest mark on the maturity scale. That’s a great ambition. Rooted in the real world of things, we know that people have budgets, and those budgets are finite. More so than the way people tend to implement maturity models, we’re trying to highlight that you can pick and choose.”

“In my mind’s eye,” Matthew continued, “I picture a tier that isn’t even on the map. A tier zero. There’s a group of people who have managed to short-list high-impact items, and that’s about all they do relative to cybersecurity. For most people, that’s a temporary stopping point. Some people stop there and never get to dynamic, iterative cybersecurity risk management.”

Based on my own personal observations in the field, most SMBs, local governments and even many larger entities probably fall into Tier 1, and the only way to realistically get to Tier 2 is for management to become risk informed. However, getting executives and boards interested in information and cybersecurity is a formidable hurdle.

If an organization is truly a part of national critical infrastructure, remaining at Tier 2 would be troubling. Tier 3 is the first tier that defines organization-wide policy as a requirement, and I would personally see Tier 3 as the minimally acceptable target for most organizations, but this is my opinion rather than NIST’s or Matthew’s.

The tiers do provide a solid tool for organizational management to realistically evaluate their cybersecurity program and make rational, pragmatic, informed business decisions for program improvements going forward. Taking the leap from Tier 1 to Tier 2 is probably the most difficult step for most organizations. Once an organization gets to Tier 2, management has accountability and consequently more motivation to move forward.

Framework Profiles

NIST recommends that the framework be “customized in a way that maximizes business value,” and that customization is referred to as a “Profile.”

Matthew believes that all cybersecurity programs have three things to do and three things only:

Support mission/business objectives;

Fulfill cybersecurity requirements; and

Manage the vulnerability and threat associated with the technical environment.

The CSF provides a seven-step process for creating or improving a cybersecurity program using a continuous improvement loop:

Prioritize and scope

Orient

Create a current profile

Conduct a risk assessment

Create a target profile

Determine, analyze, and prioritize gaps

Implement action plan

Profiles can be used as a tool to provide a basis for prioritization, budgeting and gap analysis.

Distributing Risk

One of my personal rants is on the disinterest so many executives show toward information security. I am always irritated when I see IT and security managers unilaterally commit an organization to cyber risk without obtaining informed consent from senior management. Often, these staff members make decisions that are far outside the scope of their roles and authority, and I think some executives prefer their own blissful state of ignorance. This leaves too much room for managers to claim “I never knew. Mistakes were made.” Like both ISO 27001 and COBIT 5, the CSF clearly defines management’s role in information security processes, so the CSF can be used as a powerful tool to engage boards and managers and hold them accountable for risk and budgeting decisions.

Matthew’s response to my rant was diplomatic. “I wonder whether the very nature of cybersecurity professionals makes us hold on to risk decisions rather than distribute them portfolio style. Smaller, less impactful risk decisions that are distributed. Distribute decisions, empower folks, and there is accountability around that empowerment, as well.” The CSF provides tools to distribute this risk.

Adoption and Implementation Trends

Results from a 2015 Gartner poll claim that about 30% of organizations have adopted the CSF and by 2020, 50% of organizations will have adopted it. I am skeptical of this assessment. Based on personal observation of the SMB and local government sectors, I would be astonished to find that even 25% of them have formal information security programs based on any framework or standard, let alone the CSF.

However, CSF has been used and customized by a diverse group of organizations such as the Italian government, the American Water Works Association, Intel, the Texas Department of Information Resources, and many others. Case studies can be found on the NIST CSF website.

Summary

It’s always good to look at information security programs from multiple viewpoints and the NIST CSF provides many excellent tools to do just that. NIST provides many additional materials on using the framework and they can be found on the CSF Homepage. The site also has an excellent 30-minute video presentation of Matthew providing an overview of the framework.

Information security and cybersecurity are huge problem areas in county and municipal governments. In this six-page article on the subject, I cover the information every county and municipal leader should know including a summary of problems, barriers, specific solutions, and resources. The free document is available here. The intended audience is CEO, CAO, CFO, COO, County or city manager, county commissioner, city council member, or other senior management personnel in the public sector. This is a reprint of my two-part article published in CIO.com last year.

Click below to download.

Download the PDF.

Have questions?

Want to talk about information security in your organization? Click on the link below to e-mail me and schedule a time to talk.

The cybersecurity risk to local government

Weak or nonexistent cybersecurity programs represent a massive organizational risk to county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT Director, CIO, or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.

While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public sector organizations, I can state with confidence that most lack any cybersecurity plans at all.

Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive, assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the appropriate frameworks, infrastructure, policies and procedures are in place and working correctly.

Definitions

The need for information security is as old as civilization and possibly as old as life on earth. Information Security (Infosec) was invented to protect the first secret – whenever and whatever that was. Infosec is not solely a human artifact — my Great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much and the methods of cybersecurity are largely based on models for protecting physical information.

Information Security refers to the discipline and processes to protect the confidentiality, integrity and availability of all your information regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use them interchangeably even though they are not, but counties and municipalities need an Infosec plan that includes cybersecurity.

Municipal data – a pot of gold

County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, social security numbers, and military discharge documents are among the many types of publicly accessible documents that may contain PII (Personally Identifiable Information), PHI (Protected Health Information), or other sensitive information. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?

Root causes and obstacles

Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.

Personnel

“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public sector IT Directors and CIO’s don’t have the knowledge, training and background to plan and deliver acceptable, standard’s based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.

The largest municipal agencies may employ a CISO (Chief Information Security Officer) but the vast majority of public sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.

IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer in the headlights look from public sector CIO’s and IT staff when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about HIPAA Security Rule compliance, for instance, are almost always met with “What’s that?”

A jumble of regulations

Municipal organizations may have dozens of departments, divisions, or lines of business with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.

A typical County government may have to comply with regulations like HIPAA[v] (Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (Criminal Justice Information Systems) in addition to compliance with state regulations from organizations such as an Office of Mental Health, or Department of Health. Additional requirements for records management from State Archives agencies add to those complexities and often contradict other regulatory requirements.

Shared Infrastructure

Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.

Silos and turf wars

Counties and municipalities may have highly distributed management structures which function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently County IT, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:

County Judges and their staff members refuse to sign and abide by acceptable use policies.

County Sheriffs refusing to cooperate with an IT security audit claiming their security policy and processes are “secret.”

Social Services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.

Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.

Most security problems are internal

90% of breaches occur because of an internal mistake[viii] and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.

Budget

Insufficient budget is often used as an excuse for low quality IT services and lack of security in public sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs and have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.

Political Hiring

In local government, critical management positions are often filled based on political considerations rather than quality of candidates. Expertise in information security should be a major component in your CIO’s toolkit.

Tech versus strategic thinking

If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.

Start with Information Governance (IG)

What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.

Information Security and cybersecurity must be components of your overarching Information Governance (IG) Program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a standalone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?

I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”

IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here and the P-things are the most effective tools to pack for your InfoSec journey. You will develop these from your IG Program:

Policies ­ Processes ­ Procedures

Protocols ­ People

What is information governance?

I like Robert Smallwood’s succinct definition of Information Governance: “security, control and optimization of information.“[x] In order to develop sound InfoSec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of the IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.

In a municipal government organization, an IG committee may include legal, HR, records management, IT, finance, and auditors, as well as other departments. Let’s say your municipality has a public health clinic, recorder of deeds, personnel/payroll and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, social security numbers and a lot more. The people with special knowledge about the nature and disposition of all this information must be on your committee.

In some organizations, information and security policy is developed at the whim of the CIO or IT Director. Is that IT Director expert in statutory requirements and industry best practices for all the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.

Establishing a comprehensive information security program

Once you have begun building your IG foundation and framework, your Infosec and cybersecurity requirements will be much clearer. Also, IG, Infosec, and Cybersecurity are not one-time activities. They require a process for continuous improvement like PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control). Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends but it gets much easier once a solid foundation has been built.

Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.

Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and anti-virus software and there is a great deal to think about.

There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Following is a brief discussion of some of them.

NIST

The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was release in January of 2017. Their Cybersecurity Framework Workshop starts on May 16, 2017 in Gaithersburg, MD if you would like to attend and learn more about it. You can also view a webcast with an overview of the Framework. In their words, “The core of the framework was designed to cover the entire breadth of cybersecurity . . . across cyber, physical, and personnel.“[xi]

SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations will likely be an essential part of your planning process if you are building upon NIST.

HIPAA

If a division of your public sector organization provides clinical services, it might fit the definition of a covered entity (CE). If so, that division is required to comply with applicable federal regulations including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?

I have worked extensively with HIPAA regulations and NIST products for nearly 2 decades and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.

ISF

The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.

ISO

The International Organization for Standardization (ISO) publishes the ISO/IEC 27000 family of standards for Information security management systems. ISO products are not inexpensive, but in the overall scheme of things you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.

ISACA

ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[xii]

The role of vendors

Trusted vendors can be helpful in building your programs, but overreliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.

Summary – one step at a time

Take a few simple steps to improving your cybersecurity infrastructure:

More Information

If you found this information useful, or would like to discuss cybersecurity in your organization in more detail, please feel free to e-mail me at jmorgan@e-volvellc.com. I would be glad to discuss your situation.

This article first appeared in cio.com at http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html

Is your information secure?

Are your organization’s information assets absolutely secure? Do your staff and contractors assure you that everything is safe? How do they know? And how about all those paper files? Is confidential data appropriately labeled and stored in a secure, locked and monitored facility? How do you know? How would anyone even know if there was a breach?

The role of IT Staff

I have sat in meetings with IT Staff who have sworn up and down that the network is secure without any facts or data to support that assertion. What are your IT staff and contractors doing every day to ensure that your information is secure? And what about staff that maintain other types of physical instruments and records?

The role of vendors

I have also sat in many meetings with security vendors who have made outrageous and patently false statements, like “our product is HIPAA compliant.” (There is no such thing. The HIPAA Security Rule is a federal regulation that describes the framework for developing a security policy for certain types of information and organizations. HIPAA is purposely technology and vendor-neutral). Every security vendor wants you to believe that they are selling a magical product that will keep your organization secure from all the evils that result from being connected to the entire world through the Internet.

There are no magic products

The truth of the matter is that there are no products or services that will inherently ensure and maintain the confidentiality, integrity and availability (CIA) of your information. Information Security is about process, policy, procedure, and training rather than about installing products. A successful security program comes as a result of looking closely at both the macro view and the micro details and taking appropriate, thoughtful actions using a cycle of continuous improvement. Security products might be a part of your overall security strategy, but without sensible policies. procedures, and training the products themselves are unlikely to produce the desired, advertised result.

Do you have a Comprehensive Information Security Policy?

If you are larger than a Mom and Pop operation, you should have a Comprehensive Information Security Policy. If you are running a municipality or corporation with dozens or hundreds of employees, the lack of such a policy probably constitutes organizational malpractice or malfeasance at some level. Moreover, your policy shouldn’t be just a dusty book on the shelf – all your employees should have had training on and understand the policy.

You can wait for a catastrophic security event to wake your organization up, or you can take action now to prevent an embarrassing and costly revelation. For instance, if your organization is required to comply with HIPAA, the wake up call could come in the form of a multi-million dollar fine from HHS or civil litigation. Or you might end up paying ransom to buy back your data from data pirates. These risks are real and well documented.

How do I get started with a Security Policy?

There are many options for developing a comprehensive information security policy. You can purchase kits, buy books, hire consultants, etc. You can do it yourself, or contract it out, but the process will be largely the same either way. I will give you a 40,000 foot view and you can decide how to proceed. Other than time, the initial costs should not be high, but securing your information infrastructure will definitely have some impact on your budget, albeit less than the eventual cost of not addressing security. Even if this is a DIY project, outsourcing some aspects is probably appropriate unless you have staff members who have been extensively trained in information security domains and disciplines.

Make sure the right people are at the table!

This is NOT an Information Technology project. It is a critical enterprise business, policy and security project, so you want to make sure you have the appropriate stakeholders at the table. Establish a multi-disciplinary committee to participate in the process. Managers and Department Heads from different departments may provide illuminating perspectives and the group must also include rank and file members of your staff who actually do the work (AKA the minions). Staff members with security and military backgrounds may have much to contribute. People who may have had experience in highly regulated industries, such as Pharmaceutical, Insurance, Medical, Public and Mental Health, and Law Enforcement may also have much to contribute to the process. HR and Legal must be at the table. I am certain that your organization has untapped, expert resources, so find them and use them.

Inventory your Assets

Once your Information Security Committee is assembled, its time to get to work. The first step is going to be a Risk Assessment. Since you have already established your Information Security committee, begin the Risk Assessment process by cataloging and categorizing all your information resources. Information in this catalog may include paper files, network and computer files including backups, archival and historical records, microfilm, tax records, specifications, etc. There are payroll records, health insurance records, possibly protected medical information, HR information, meeting records, AR and AP records. All of these records may contain information protected by local, state or federal statute. There may be proprietary information related to manufacturing or other information such as videos, films, sound recordings that you may want or need to protect in some way. Use an interrogative process to identify, catalog, and categorize all this information. The output of this process should be a detailed document that clearly identifies all of these assets.

It may be appropriate to contract a qualified consultant for the Risk Assessment process. Why? Regardless of how intelligent and qualified the members of your staff are, they are probably immersed in your organizational culture. They may have biases and make assumptions because “we have always done it this way.” Outsiders may be able to see past the assumptions and biases that your staff members can’t

Once you have completed this process, you will almost certainly have found information that you didn’t even know you had. If you found sensitive information without any plan for protecting it, you might have trouble sleeping until your committee comes up with a plan.

Once you know what types of information for which you are responsible, ask yourself and the Subject Matter Experts on your committee what statutes apply. There are at least a handful of regulations that always apply, and there may be dozens of regulations dealing with information-specific data you have to consider. You probably also found information not protected by statute that needs to be addressed. Do your current policies cover all the information in your catalog? In a subsequent article, I will continue with the next steps for securing your information.

Thinking of your staff will not change overnight.

If you have a large catalog of unprotected, sensitive information, changing the thinking of your staff toward privacy and security may take a while – months or years. Also, this is a perfect time to do a Business Process Review of your information collection operations. Maybe your forms are decades old and no longer reflect current practices. For instance, do you really need to collect social security numbers from the public? If you are collecting this information, are you handing a Privacy Policy when you ask for information? Are the people providing information truly giving informed consent?

If you want to discuss Information Security in your organization, send me an e-mail at jmorgan@e-volvellc.com.